I need to implement SSO on our web API and I was reading about OpenID and IdentityServer. This is my first connection with SSO, OAuth and OpenID.
In the presentation movies I heard a lot about scopes and claims, but the presenter never explained what each one of these actually means. I went to the official site and searched there, but I didn't find a definition of the terms.
So, what exactly is a scope and what is a claim?
Claims are specific attributes about a user. Wiki defines it as "A claim is a statement that one subject, such as a person or organization, makes about itself or another subject. For example, the statement can be about a name, group, buying preference, ethnicity, privilege, association or capability. ".
A scope is an indication by the client that it wants to access some resource, your server may allow or reject this. Oracle - Oauth Scopes
To provide an example, in your application your user may have a name, email and company name - these are your claims. That client may request access to your Admin controller of your Web API, this would be a scope. In an SSO environment, it could be some other application in its own right such as another API.
Google use scopes to control access to data transfer / analytics / ads APIs Google Oauth Docs
To be more specific than the previous answer:
scope: A scope is a space separated list of identifiers that specify what access privileges are being requested by the client application
claims: A claim is a key-value pair that contain some information, e.g. user information
For more details see - https://mannharleen.github.io/2020-03-11-id-access-tokens/#the-story-of-scopes--claims
